Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2834
Views
0
Helpful
5
Replies

TACACS for user in multiple groups

Go to solution
John.Mason1978
Level 1
Level 1

‎11-08-2012 06:42 AM - edited ‎03-10-2019 07:45 PM

hi

Quick question about TACACS and a user that needs to be in more than 1 group

We have a networkAdmins group that is linked to the AD domain Admins group with a network admin in it

w then have another group for firewalls which is linked to firewall access group in AD one user is in both groups which have both been created using a manual mapping in TACACS but the user is only showing up in the NetworkAdmin group not in the firewall admin group

any ideas why the user is not showing up or is this even possible

thanks                  

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to John.Mason1978

‎11-09-2012 10:53 AM

No problem! I have had issues in the past when the local and the domain user are the same. You can still get around that by defining what identity stores are used (for example, excluding the internal user database) and/or by properly constructing your authorization rules.

Also, do are you using ACS 4.x or 5.x?

Thank you for rating!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎11-08-2012 10:51 AM

Hello John-

You can have a user be part of more than one group. You just need to make sure that both of the groups are pulled from AD and then you can build your authorization rules based on that.

Let me know if this makes sense or if you need more details.

0 Helpful

Go to solution
John.Mason1978
Level 1
Level 1
In response to nspasov

‎11-09-2012 01:37 AM

Hi Neo

thanks for the fast reply

that makes sense

so my user for example currently is in the network admins group populated via AD but there are ACS local users in that group

if i remove the local users then the ad should populate both groups with my user

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to John.Mason1978

‎11-09-2012 10:53 AM

No problem! I have had issues in the past when the local and the domain user are the same. You can still get around that by defining what identity stores are used (for example, excluding the internal user database) and/or by properly constructing your authorization rules.

Also, do are you using ACS 4.x or 5.x?

Thank you for rating!

0 Helpful

Go to solution
John.Mason1978
Level 1
Level 1
In response to nspasov

‎11-09-2012 10:59 AM

Yes I inherrited this system, its version 4 and this excercise has prompted us to redesign the acs

Thanks for your help

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to John.Mason1978

‎11-09-2012 11:04 AM

Those are always nice when you inherit these type of systems. I don't know if you have had any experience with 5.x but I highly recommend migrating to it. It is much nicer in terms of building blocks, logging, monitoring etc and it does not run on Windows

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents